How does the SAML SessionIndex and SLO flow work?

  Kiến thức lập trình

I would like to clarify my understanding with SAML, in particular SLO. I have tried searching through previous posts, but I cannot seem to confirm my understanding. Thank you for any responses 🙂

  1. Is the SessionIndex value in the SAML assertion the same for each SP in the same session? For example, UserA logins into the IdP and then opens SP1, SP2 and SP3, do they all share the same SessionIndex or is it one SessionIndex per SP? My understanding is that it is one SessionIndex per SP, is this correct?

  2. When an SP-initiated SLO Logout Request is raised to the IdP, is the SessionIndex contained within the Logout Request used by the IdP to check which SPs share the same SessionIndex (and therefore, have an active session with the user), or does the IdP lookup all the different SessionIndexes using the principal (NameID) that was contained within the original SP-initiated SLO request? My understanding is that it is the latter, is this correct?

  3. Can an SP-initiated, or IdP-initiated SLO Logout Request terminate all sessions (on different browsers and devices) for the principal/user rather than one? For example, if UserA logs into SP1 from DeviceA and DeviceB, is it possible to use SLO to terminate both sessions? My understanding this is only possible by using IdP-initiated SLO via back channels rather than front channels, is this correct, and is this the only way?

  4. With third-party cookies starting to be widely blocked, how does this affect the SLO front channel process?

New contributor

Metros is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Theme wordpress giá rẻ Theme wordpress giá rẻ Thiết kế website

How does the SAML SessionIndex and SLO flow work?

I would like to clarify my understanding with SAML, in particular SLO. I have tried searching through previous posts, but I cannot seem to confirm my understanding. Thank you for any responses 🙂

  1. Is the SessionIndex value in the SAML assertion the same for each SP in the same session? For example, UserA logins into the IdP and then opens SP1, SP2 and SP3, do they all share the same SessionIndex or is it one SessionIndex per SP? My understanding is that it is one SessionIndex per SP, is this correct?

  2. When an SP-initiated SLO Logout Request is raised to the IdP, is the SessionIndex contained within the Logout Request used by the IdP to check which SPs share the same SessionIndex (and therefore, have an active session with the user), or does the IdP lookup all the different SessionIndexes using the principal (NameID) that was contained within the original SP-initiated SLO request? My understanding is that it is the latter, is this correct?

  3. Can an SP-initiated, or IdP-initiated SLO Logout Request terminate all sessions (on different browsers and devices) for the principal/user rather than one? For example, if UserA logs into SP1 from DeviceA and DeviceB, is it possible to use SLO to terminate both sessions? My understanding this is only possible by using IdP-initiated SLO via back channels rather than front channels, is this correct, and is this the only way?

  4. With third-party cookies starting to be widely blocked, how does this affect the SLO front channel process?

New contributor

Metros is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Theme wordpress giá rẻ Theme wordpress giá rẻ Thiết kế website

LEAVE A COMMENT